[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eCert-manager is required for Apigee hybrid to operate, and this guide explains how to download and install it.\u003c/p\u003e\n"],["\u003cp\u003eInstallations on Google Distributed Cloud do not require a separate cert-manager installation, as it comes with its own version.\u003c/p\u003e\n"],["\u003cp\u003eFor OpenShift installations, cert-manager must be installed following the official instructions, and note a known issue with version 1.10.\u003c/p\u003e\n"],["\u003cp\u003eCert-manager version 1.13.0 can be installed using a specific \u003ccode\u003ekubectl apply\u003c/code\u003e command from the cert-manager GitHub.\u003c/p\u003e\n"],["\u003cp\u003eSuccessful installation can be verified by checking for the creation of the \u003ccode\u003ecert-manager\u003c/code\u003e namespace and the presence of running pods like \u003ccode\u003ecert-manager\u003c/code\u003e, \u003ccode\u003ecert-manager-cainjector\u003c/code\u003e, and \u003ccode\u003ecert-manager-webhook\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["| You are currently viewing version 1.12 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to download and install [cert-manager](https://cert-manager.io/docs/), required for Apigee hybrid to operate.\n| **Installations on Google Distributed Cloud**\n|\n| You do not need to install cert-manager if you are\n| performing a fresh installation on one of the following on-premises platforms:\n|\n| - Google Distributed Cloud (software only) on VMware\n| - Google Distributed Cloud (software only) on bare metal\n|\n|\n| Google Distributed Cloud comes with its own version of cert-manager. Apigee can use this Distributed Cloud version of cert-manager.\n| If it is installed in a namespace other than `cert-manager`, you will need to include\n| the namespace with the [`certManager.namespace`](/apigee/docs/hybrid/v1.12/config-prop-ref#certmanager)\n| property in your overrides file.\n| For more information about Google Distributed Cloud and cert-manager, see\n| [Conflicting\n| cert-manager installation](/kubernetes-engine/distributed-cloud/vmware/docs/troubleshooting/known-issues#conflicting-cert-manager-installation).\n|\n|\n| **Installations on OpenShift**\n|\n| If you are installing Apigee hybrid on OpenShift, install cert-manager by following the\n| instructions in [Installation](https://cert-manager.io/docs/installation/)\n| in the cert-manager documentation.\n|\n| See a\n| [Known Issue about cert-manager version 1.10 on OpenShift](https://cloud.google.com/apigee/docs/release/known-issues#271689008).\n\nInstall cert-manager\n\n1. Use the following command to install cert-manager v1.13.0 from GitHub. \n\n ```\n kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml\n ```\n\n\n You should see a response that the cert-manager namespace and several cert-manager resources\n have been created. For example: \n\n ```\n customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io configured\n customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io configured\n ...\n mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured\n ```\n2. Use the following command to verify the successful creation of cert-manager namespace and its corresponding components: \n\n ```\n kubectl get all -n cert-manager -o wide\n ```\n\n Your output should be similar to the following example.\n You should see pods for `cert-manager`, `cert-manager-cainjector`, and `cert-manager-webhook`. \n\n ```\n NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES\n pod/cert-manager-abcd1234-7hkt9 1/1 Running 0 35s 10.20.x.x gke-hybrid-on-apigee-data-abcd1234-3d54 \u003cnone\u003e \u003cnone\u003e\n pod/cert-manager-cainjector-abcd1234-6lb4k 1/1 Running 0 35s 10.20.x.x gke-hybrid-apigee-runtime-abcd1234-5hmn \u003cnone\u003e \u003cnone\u003e\n pod/cert-manager-webhook-abcd1234-c8bg9 1/1 Running 0 35s 10.20.x.x gke-hybrid-apigee-runtime-abcd1234-fk39 \u003cnone\u003e \u003cnone\u003e\n\n NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR\n service/cert-manager ClusterIP 10.24.x.x \u003cnone\u003e 9402/TCP 35s app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n service/cert-manager-webhook ClusterIP 10.24.x.x \u003cnone\u003e 443/TCP 35s app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n\n NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR\n deployment.apps/cert-manager 1/1 1 1 35s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.13.0 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager\n deployment.apps/cert-manager-cainjector 1/1 1 1 35s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.13.0 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector\n deployment.apps/cert-manager-webhook 1/1 1 1 35s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.13.0 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook\n\n NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR\n replicaset.apps/cert-manager-abcd1234 1 1 1 35s cert-manager-controller quay.io/jetstack/cert-manager-controller:v1.13.0 app.kubernetes.io/component=controller,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cert-manager,pod-template-hash=abcd1234\n replicaset.apps/cert-manager-cainjector-abcd1234 1 1 1 35s cert-manager-cainjector quay.io/jetstack/cert-manager-cainjector:v1.13.0 app.kubernetes.io/component=cainjector,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=cainjector,pod-template-hash=abcd1234\n replicaset.apps/cert-manager-webhook-abcd1234 1 1 1 35s cert-manager-webhook quay.io/jetstack/cert-manager-webhook:v1.13.0 app.kubernetes.io/component=webhook,app.kubernetes.io/instance=cert-manager,app.kubernetes.io/name=webhook,pod-template-hash=abcd1234\n ```\n\nSummary\n\n\nYou now have cert-manager installed, and you are ready to install the Apigee hybrid\ncustom resource definitions (CRDs).\n\nNext step\n\n\u003cbr /\u003e\n\n[1](/apigee/docs/hybrid/v1.12/install-create-cluster) [2](/apigee/docs/hybrid/v1.12/install-download-charts) [3](/apigee/docs/hybrid/v1.12/install-create-namespace) [4](/apigee/docs/hybrid/v1.12/install-service-accounts) [5](/apigee/docs/hybrid/v1.12/install-create-tls-certificates) [6](/apigee/docs/hybrid/v1.12/install-create-overrides) [7](/apigee/docs/hybrid/v1.12/install-enable-synchronizer-access) [8](/apigee/docs/hybrid/v1.12/install-cert-manager) [(NEXT) Step 9: Install the CRDs](/apigee/docs/hybrid/v1.12/install-crds) [10](/apigee/docs/hybrid/v1.12/install-check-cluster) [11](/apigee/docs/hybrid/v1.12/install-helm-charts) [12](/apigee/docs/hybrid/v1.12/install-workload-identity)\n\n\u003cbr /\u003e"]]